Skip to content

Commit

Permalink
Set secure parameter for xslt transformation
Browse files Browse the repository at this point in the history
  • Loading branch information
MaximPlusov committed Mar 18, 2024
1 parent 772abdc commit d5314cb
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 8 deletions.
24 changes: 19 additions & 5 deletions core/src/main/java/org/verapdf/policy/PolicyChecker.java
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@
import org.verapdf.core.VeraPDFException;
import org.verapdf.core.utils.FileUtils;

import javax.xml.transform.Templates;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
import java.io.*;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

/**
* The veraPDF policy checker which is simply an abstraction that makes applying
Expand All @@ -39,7 +39,10 @@
* @version 0.1 Created 12 Dec 2016:17:51:12
*/
public final class PolicyChecker {
private static final TransformerFactory factory = TransformerFactory.newInstance();

private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName());

private static final TransformerFactory factory = getTransformerFactory();
public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$
public static final String XSL_EXT = "xsl"; //$NON-NLS-1$
public static final String XSLT_EXT = "xslt"; //$NON-NLS-1$
Expand Down Expand Up @@ -204,4 +207,15 @@ private static void applySchematronXsl(final InputStream schematronXsl, final In
Transformer transformer = factory.newTransformer(new StreamSource(schematronXsl));
transformer.transform(new StreamSource(xmlReport), new StreamResult(policyReport));
}

private static TransformerFactory getTransformerFactory() {
TransformerFactory fact = TransformerFactory.newInstance();
try {
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException e) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
return fact;
}
}
10 changes: 8 additions & 2 deletions core/src/main/java/org/verapdf/policy/SchematronPipeline.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
*/
package org.verapdf.policy;

import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
Expand All @@ -31,8 +32,7 @@
*/

final class SchematronPipeline {
private static final Logger LOGGER = Logger
.getLogger(SchematronPipeline.class.getName());
private static final Logger LOGGER = Logger.getLogger(SchematronPipeline.class.getName());

static final ClassLoader cl = SchematronPipeline.class.getClassLoader();
private static final TransformerFactory factory = getTransformerFactory();
Expand Down Expand Up @@ -85,6 +85,12 @@ private static File createTempFileResult(final Transformer transformer, final St

private static TransformerFactory getTransformerFactory() {
TransformerFactory fact = TransformerFactory.newInstance();
try {
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException e) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
fact.setURIResolver(new ClasspathResourceURIResolver());
return fact;
}
Expand Down
20 changes: 19 additions & 1 deletion core/src/main/java/org/verapdf/report/XsltTransformer.java
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,12 @@
import java.io.InputStream;
import java.io.PrintWriter;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.xml.XMLConstants;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.stream.StreamResult;
Expand All @@ -34,8 +38,11 @@
* @author Maksim Bezrukov
*/
public final class XsltTransformer {
private static final TransformerFactory factory = TransformerFactory.newInstance();

private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName());

private static final TransformerFactory factory = getTransformerFactory();

private XsltTransformer() {
}

Expand Down Expand Up @@ -68,4 +75,15 @@ public static void transform(InputStream source, InputStream xslt, PrintWriter d

transformer.transform(new StreamSource(source), new StreamResult(destination));
}

private static TransformerFactory getTransformerFactory() {
TransformerFactory fact = TransformerFactory.newInstance();
try {
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException e) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
return fact;
}
}

0 comments on commit d5314cb

Please sign in to comment.